chore: fix discovered Windows.UI.Xaml.dll, InputSwitch.dll, and CStartExperienceManager vtable pattern issues

Amrsatrio · Amrsatrio · commit bdf95c3c2e44 · 2026-04-19T18:45:16.000+07:00
diff --git a/ExplorerPatcher/InputSwitch.cpp b/ExplorerPatcher/InputSwitch.cpp
@@ -221,19 +221,19 @@ BOOL PatchContextMenuOfNewMicrosoftIME(BOOL* bFound)
         "\x44\x38\x00\x00\x74\x00\x00\x8B\xCE\xE8\x00\x00\x00\x00\x85\xC0",
         "xx??x??xxx????xx"
     );
-    if (!match)
-        return FALSE;
-
-    DWORD dwOldProtect;
-    if (!VirtualProtect(match + 4, 1, PAGE_EXECUTE_READWRITE, &dwOldProtect))
-        return FALSE;
-
-    match[4] = 0xEB;
-
-    VirtualProtect(match + 4, 1, dwOldProtect, &dwOldProtect);
-
-    return TRUE;
+    if (match)
+    {
+        DWORD dwOldProtect;
+        if (VirtualProtect(match + 4, 1, PAGE_EXECUTE_READWRITE, &dwOldProtect))
+        {
+            match[4] = 0xEB;
+            VirtualProtect(match + 4, 1, dwOldProtect, &dwOldProtect);
+            return TRUE;
+        }
+    }
 #elif defined(_M_ARM64)
+    DWORD newInsn = 0;
+
     // A8 43 40 39 C8 04 00 34 E0 03 ?? AA
     //             ^^^^^^^^^^^ Change CBZ to B
     // Ref: CTsfHandler::_OnOopImeContextMenu()
@@ -243,23 +243,60 @@ BOOL PatchContextMenuOfNewMicrosoftIME(BOOL* bFound)
         "\xA8\x43\x40\x39\xC8\x04\x00\x34\xE0\x03\x00\xAA",
         "xxxxxxxxxx?x"
     );
-    if (!match)
-        return FALSE;
-
-    match += 4;
-
-    DWORD newInsn = ARM64_CBZWToB(*(DWORD*)match);
-    if (!newInsn)
-        return FALSE;
-
-    DWORD dwOldProtect;
-    if (!VirtualProtect(match, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect))
-        return FALSE;
-
-    *(DWORD*)match = newInsn;
-
-    VirtualProtect(match, 4, dwOldProtect, &dwOldProtect);
+    if (match)
+    {
+        match += 4;
+        newInsn = ARM64_CBZWToB(*(DWORD*)match);
+    }
+    else
+    {
+        // GetContextMenuResourceId() inlined
+        // MOV W19/W20, #15305
+        // W19: 0b01010010100_0011101111001001_10011 = 52877933 = 33 79 87 52
+        // W20: 0b01010010100_0011101111001001_10100 = 52877934 = 34 79 87 52
+        // P:   0b01010010100_0011101111001001_10??? = 52877930 = 30 79 87 52
+        // M:   0b11111111111_1111111111111111_11000 = FFFFFFF8 = F8 FF FF FF
+        // Ref: CTsfHandler::_OnOopImeContextMenu()
+        match = (PBYTE)FindPatternBitMask_4_(
+            pInputSwitchText,
+            cbInputSwitchText,
+            "\x30\x79\x87\x52",
+            "\xF8\xFF\xFF\xFF",
+            4
+        );
+        if (match)
+        {
+            match += 4; // Point to after the mov
+
+            // We might be a jmp, follow it if so
+            PBYTE pJmpTarget = (PBYTE)ARM64_FollowB((DWORD*)match);
+            if (pJmpTarget)
+            {
+                match = pJmpTarget;
+            }
+
+            if (*(DWORD*)match == 0x52800033)
+            {
+                newInsn = 0x52800013; // MOV W19, #0
+            }
+            else if (*(DWORD*)match == 0x52800034)
+            {
+                newInsn = 0x52800014; // MOV W20, #0
+            }
+        }
+    }
 
-    return TRUE;
+    if (newInsn)
+    {
+        DWORD dwOldProtect;
+        if (VirtualProtect(match, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect))
+        {
+            *(DWORD*)match = newInsn;
+            VirtualProtect(match, 4, dwOldProtect, &dwOldProtect);
+            return TRUE;
+        }
+    }
 #endif
+
+    return FALSE;
 }
diff --git a/ExplorerPatcher/TwinUIPatches.cpp b/ExplorerPatcher/TwinUIPatches.cpp
@@ -1859,17 +1859,17 @@ BOOL FixStartMenuAnimation(HMODULE hTwinuiPcshell, PBYTE pSearchBegin, size_t cb
         matchVtable += 7 + *(int*)(matchVtable + 3);
     }
 #elif defined(_M_ARM64)
-    // * Pattern for Nickel
+    // * Pattern for Cobalt and Nickel
     //   ```
-    //   69 A2 03 A9 ?? ?? 00 ?? 08 ?? ?? 91 ?? ?? 00 ?? 29 ?? ?? 91 68 32 00 F9
+    //   69 A2 03 A9 ?? ?? 00 ?? 08 ?? ?? 91 ?? ?? 00 ?? 29 ?? ?? 91 ?? 32 00 F9 60 ?? ?? 91 ?? 26 00 F9 ?? ?? ?? ?? 1F 20 03 D5
     //               ^^^^^^^^^^^+^^^^^^^^^^^
     //   ```
     // Ref: CStartExperienceManager::CStartExperienceManager()
     PBYTE matchVtable = (PBYTE)FindPattern_4_(
         pSearchBegin,
         cbSearch,
-        "\x69\xA2\x03\xA9\x00\x00\x00\x00\x08\x00\x00\x91\x00\x00\x00\x00\x29\x00\x00\x91\x68\x32\x00\xF9",
-        "xxxx??x?x??x??x?x??xxxxx"
+        "\x69\xA2\x03\xA9\x00\x00\x00\x00\x08\x00\x00\x91\x00\x00\x00\x00\x29\x00\x00\x91\x00\x32\x00\xF9\x60\x00\x00\x91\x00\x26\x00\xF9\x00\x00\x00\x00\x1F\x20\x03\xD5",
+        "xxxx??x?x??x??x?x??x?xxxx??x?xxx????xxxx"
     );
     if (matchVtable)
     {
diff --git a/ExplorerPatcher/dllmain.c b/ExplorerPatcher/dllmain.c
@@ -1364,17 +1364,21 @@ void ForceEnableXamlSounds(HMODULE hWindowsUIXaml)
 #elif defined(_M_ARM64)
     // 08 ?? ?? B9 1F 09 00 71 ?? ?? ?? 54 ?? 00 00 35 ?? ?? ?? ??
     //                                                 ^^^^^^^^^^^ BL -> MOV W0, #1
-    PBYTE match = FindPattern_4_(
+    // BL:
+    // P: 0b100101_00000000000000000000000000 = 94000000 = 00 00 00 94
+    // M: 0b111111_00000000000000000000000000 = FC000000 = 00 00 00 FC
+    PBYTE match = FindPatternBitMask_4_(
         pWindowsUIXamlText,
         cbWindowsUIXamlText,
-        "\x08\x00\x00\xB9\x1F\x09\x00\x71\x00\x00\x00\x54\x00\x00\x00\x35",
-        "x??xxxxx???x?xxx"
+        "\x08\x00\x00\xB9\x1F\x09\x00\x71\x00\x00\x00\x54\x00\x00\x00\x35\x00\x00\x00\x94",
+        "\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\x00\x00\x00\xFF\x00\xFF\xFF\xFF\x00\x00\x00\xFC",
+        20
     );
     if (match)
     {
         match += 16;
-        DWORD currentInsn = *(DWORD*)match;
-        DWORD newInsn = ARM64_IsBL(currentInsn) ? 0x52800020 : 0; // MOV W0, #1
+        // DWORD currentInsn = *(DWORD*)match;
+        DWORD newInsn = /*ARM64_IsBL(currentInsn) ?*/ 0x52800020 /*: 0*/; // MOV W0, #1
         if (newInsn)
         {
             DWORD flOldProtect = 0;
@@ -9931,6 +9935,7 @@ static void PatchAppResolver()
         match += 5 + *(int*)(match + 1);
     }
 #elif defined(_M_ARM64)
+    // Nickel+
     // 7F 23 03 D5  FD 7B BC A9  F3 53 01 A9  F5 5B 02 A9  F7 1B 00 F9  FD 03 00 91  ?? ?? ?? ??  FF 43 01 D1  F7 03 00 91  30 00 80 92  F0 1A 00 F9  ?? 03 01 AA  ?? 03 02 AA  FF ?? 00 F9
     // ----------- PACIBSP, don't scan for this because it's everywhere
     PBYTE match = FindPattern_4_(
@@ -9943,6 +9948,22 @@ static void PatchAppResolver()
     {
         match -= 4;
     }
+    else
+    {
+        // Cobalt
+        // 7F 23 03 D5  FD 7B BC A9  F3 53 01 A9  F5 5B 02 A9  F7 1B 00 F9  F9 1F 00 F9  FD 03 00 91  ?? ?? ?? ??  FF 43 01 D1  F7 03 00 91  30 00 80 92  F0 1A 00 F9  ?? 03 01 AA  ?? 03 02 AA  FF ?? 00 F9
+        // ----------- PACIBSP, don't scan for this because it's everywhere
+        match = (PBYTE)FindPattern_4_(
+            pAppResolverText,
+            cbAppResolverText,
+            "\xFD\x7B\xBC\xA9\xF3\x53\x01\xA9\xF5\x5B\x02\xA9\xF7\x1B\x00\xF9\xF9\x1F\x00\xF9\xFD\x03\x00\x91\x00\x00\x00\x00\xFF\x43\x01\xD1\xF7\x03\x00\x91\x30\x00\x80\x92\xF0\x1A\x00\xF9\x00\x03\x01\xAA\x00\x03\x02\xAA\xFF\x00\x00\xF9",
+            "xxxxxxxxxxxxxxxxxxxxxxxx????xxxxxxxxxxxxxxxx?xxx?xxxx?xx"
+        );
+        if (match)
+        {
+            match -= 4;
+        }
+    }
 #endif
     if (match)
     {
@@ -11990,18 +12011,18 @@ static BOOL StartMenu_FixContextMenuXbfHijackMethod()
         return FALSE;
 
 #if defined(_M_X64)
-    // 49 89 43 C8 E8 ?? ?? ?? ?? 85 C0
-    //                ^^^^^^^^^^^
+    // 48 8B 45 ?? 49 89 43 C8 E8 ?? ?? ?? ?? 85 C0
+    //                            ^^^^^^^^^^^
     // Ref: CCoreServices::LoadXamlResource()
     PBYTE match = FindPattern(
         pWindowsUIXamlText,
         cbWindowsUIXamlText,
-        "\x49\x89\x43\xC8\xE8\x00\x00\x00\x00\x85\xC0",
-        "xxxxx????xx"
+        "\x48\x8B\x45\x00\x49\x89\x43\xC8\xE8\x00\x00\x00\x00\x85\xC0",
+        "xxx?xxxxx????xx"
     );
     if (match)
     {
-        match += 4;
+        match += 8;
         match += 5 + *(int*)(match + 1);
     }
     else
@@ -12023,14 +12044,14 @@ static BOOL StartMenu_FixContextMenuXbfHijackMethod()
         }
     }
 #elif defined(_M_ARM64)
-    // E1 0B 40 F9 05 00 80 D2 04 00 80 D2 E3 03 ?? AA E2 03 ?? AA E0 03 ?? AA ?? ?? ?? 97
+    // E1 0B 40 F9 05 00 80 D2 04 00 80 D2 E3 03 ?? AA E2 03 ?? AA E0 03 ?? AA ?? ?? ?? ?? ?? 03 00 2A
     //                                                                         ^^^^^^^^^^^
     // Ref: CoreServices_TryGetApplicationResource()
     PBYTE match = FindPattern_4_(
         pWindowsUIXamlText,
         cbWindowsUIXamlText,
-        "\xE1\x0B\x40\xF9\x05\x00\x80\xD2\x04\x00\x80\xD2\xE3\x03\x00\xAA\xE2\x03\x00\xAA\xE0\x03\x00\xAA\x00\x00\x00\x97",
-        "xxxxxxxxxxxxxx?xxx?xxx?x???x"
+        "\xE1\x0B\x40\xF9\x05\x00\x80\xD2\x04\x00\x80\xD2\xE3\x03\x00\xAA\xE2\x03\x00\xAA\xE0\x03\x00\xAA\x00\x00\x00\x00\x00\x03\x00\x2A",
+        "xxxxxxxxxxxxxx?xxx?xxx?x?????xxx"
     );
     if (match)
     {
